Open Wireless Access

We were open but have moved to authenticated access. We have guest access accounts but people still have to log in. At Starbucks, you are paying for the access as part of the price of the coffee… it is not “free.”

So we ARE like Starbucks.  Buy a course, get free wireless …

At Seton Hall University we do the same as Molloy; users’ have to log in using their network credential to get wireless access, but we provide guest accounts for library patrons, temp SSID’s/passwords for conferences, and the like. 

I’d be interested in whether campuses that do provide open wireless still come under the “private network” exception to CALEA compliance.

Cheers,

Steve

We have an open wifi / visitor based network. Gets them internet and no more.  Handy for visitors and conferences…parents etc.  Anymore some form of visitor based network is simply expected…

Brian

Creighton University

We provide access to the Internet - and nothing else - to guests via wireless, no password required, for up to 12 hours.  It's useful for visiting speakers, prospective students, etc. so that they can get to the Web and their Web-based email. 

David
_____________________________________________________________________
David W. Sisk    Associate Director for Administration, Information Technology Services
Macalester College    /    1600 Grand Avenue    /     Saint Paul, Minnesota  55105-1899
http://www.macalester.edu/~sisk/                Voice (651) 696-6745,  FAX (651) 696-6778

Here at Roane State we have a “guest” access on our wireless network which restricts visitors to the Internet only.  We then provide a less restrictive access to active employees and registered students who use their own devices and finally we have an open access to Roane State owned devices we register on the wireless network that allow users to work as if they were at their desktop. 

We provide 3 (soon to be 2) SSIDs for wireless access. 

We have a “guest” SSID that is restricted to basically only allow HTTP traffic. This is open to anyone.  It’s been available on campus now for over a year and has made our lives much simpler when hosting events, etc.

We also have an unencrypted, NAC controlled (Bradford Campus Manager) SSID and a WPA2 SSID.  We intend to remove the unencrypted SSID sometime next year leaving only encrypted wireless access and guest.  We’ll probably use .1X for authentication on the WPA2 wireless as we’re planning to move away from our NAC system. 

Carmen,

Hood College is not a state/publicly funded institution.  We started an open “guest” SSID this semester with limited bandwidth / port 80 only.  Our stats show a high rate of usage (20-25%) despite the availability of higher speed connections.  I suspect that some of our neighbors are joining us, but the expectation of Starbucks-like availability has triggered this experiment.  Unfortunately,  I do not know if we will be able to put Pandora back in her box.

Neil Fay, CTO, Hood College

We follow what appears to be the most typical model where all wireless access requires the users to logon to the network, where all faculty, staff and students already have the appropriate logon credentials, and where there is a mechanism in place to create temporary guest accounts as needed.  And we certainly strive to have 100% coverage of all the public, indoor areas of all our campuses.  I’ve been very happy with this model for all the reasons that have been so eloquently stated by others in this thread.

I’m a user, too, and I’ve been perfectly happy for years to logon to the campus network with my laptop, for example if I take it somewhere on campus to give a presentation.  But as a user, I’m finding that having to logon to the network every time I want to connect my iPhone to the campus wireless network to be very off putting.  At home, my wireless network is secure and my iPhone remembers the key to connect to my network.  But at work, when I use my iPhone to connect to the campus wireless network, I have to interact with the security model at a totally different level.  I’m taken to a Web page where I have to enter my username/password every single time I use the iPhone, and it proves much easier just to turn off Wifi on my iPhone at work and use 3G instead.  This is obviously not an optimal solution.

So I’m wondering if there might not be a way to enter my username/password into my iPhone a single time and have it logon to the campus network for me automatically the same way the iPhone can remember the encryption key for my home wireless network.  Is there an app for that?  I was thinking that it might be  a little scary for my iPhone to store my username/password, but actually my iPhone already stores my username/password because the iPhone is configured to connect to my campus E-mail.  This mobile stuff is really a game changer.

Jerry

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

Perhaps I’m missing something but I’m not sure I would agree that open access, even with filtering, is no less secure than the public internet. I understand the idea of trying to reduce DMCA issue risks with filtering and that makes some sense. To me the issue is one of being able to track activity back to an endpoint. At my home my endpoint can be identified by my DSL provider. For a mobile device, the mobile service provider can identify the endpoint. In your model, there is no identification of the endpoint other than the MAC address of the device. I have been involved in enough security investigations, including FBI activities, to know that that would not be sufficient to determine who did what.

This link http://www.wired.com/threatlevel/2011/08/hacking-from-mcdonalds describes an incident where someone used the open access wi-fi at a McDonald’s restaurant to crash the network and server infrastructure of a company. They basically deleted all of their virtual servers. This person was caught because they were dumb enough to use a credit card to make a purchase at the same restaurant during the time the illegal activities were taking place. A smarter criminal would have sat in a parking lot a few hundred yards away and used a directional antenna. This person no doubt had access to various secured and non-anonymous networks but where did they chose to go to do their illegal activity? If you offer open, unauthenticated access to your wi-fi, how are you going to prevent someone from doing the same thing? How will you assist law enforcement with tracking down the criminal when they determine that your network was involved?

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu

This e-mail sent from my non-mobile, 64-bit, quad core, Windows 7 workstation.

I’ve tried a variety of devices (Laptop, ThinkPad Tablet, Atrix, iPad, etc.) on Seton Hall’s network and I typically only have to authenticate once (but I do have to re-enter my credentials every time I change my network password, which at SHU is required every 90 days for employees and every 180 days for students).  We use 802.1x in conjunction with AD, and my iPad, for example, has no problem with this; it remembers my AD credentials and even politely reminds me to re-enter them after I change my network password (some older devices aren’t as polite, but they do all seem to work).

In speaking with my network folks yesterday, they reminded me that we do provide an open 802.11g SSID in the residence halls, but they’re careful to contain the open SSID there insofar as possible (they use many AP’s, typically one for each suite, so that the gain and bleed are both fairly low).  The issue that solves is that students bring gaming devices, Tivo’s, and the like that do not “play well” with 802.1x and AD (especially older devices), so this gives them a way to connect their gaming devices.  Networking tells me that most devices in the residence halls are connecting to the 802.11n SSID via 801.x and AD even though they have an open SSID available there (and that makes sense, because most of the devices are mobile and so are going to have the students credentials stored already).  Because the residence halls are closed (students need to swipe in, and their guests need to sign in and show ID), we haven’t had a problem with this - - so far.

I, too, am enjoying the discussion.

Best regards,

Steve

Laws and resources aside, I wonder what we believe our obligation is when we provide access to the internet.

I realize the natural conflict  between the role of the our institutions in providing public good vs. security matters, but I think this maybe more of a fundamental question about the benefits and perils of having “anonymous”  internet user in today’s society and our role in dealing with that.  

Hossein Shahrokhi

CIO, UH-Downtown

Cost is an interesting conversation.  As is the whole consumer device debate.

However, it seems that the whole CALEA law is being ignored by many institutions in this conversation.  Starbucks and hotels are not subject to those same laws, so we are not comparing apple to apple here,  Starbucks or a hotel has an ISP to provide their internet service, however in EDU, we ARE the ISP in most cases.  That is the difference, and where the CALEA laws come into play.

Of those schools who have chosen to allow free and "OPEN" hotspot access, how many of you have consulted your legal team?  Can anyone give me specific examples of legal cases that exempt us from CALEA to allow open network access, hardwired or WiFi?  Is so, many other institutions would re-evaluate our setups.  Perhaps some schools simply assume the risk, and are willing to pay the huge expense to modify their networks to allow on the spot, anytime taps of all network and VOIP traffic by the government?  I'd also be interesting in hearing of how many schools don't find those taps to be an issue.


On 11/10/2011 6:47 PM, Theresa Rowe wrote:

I completely agree with the idea that the consumer market has changed the expectations.  Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms.  I tried points like this, emphasizing the need to commit to wireless and the link to mobile services.  We can't move services to mobile platforms if we are not committing to wireless.  But I'm struggling offering this to paying customers; the commitment isn't there.  Sort of like the restaurant with the sign "Restrooms are for paying customers only."

Theresa